> > By "exploitable" you mean "it might be possible to work around the CSP
> > restrictions on a case-by-case basis and continue exploiting some of
> > the sites that are already exploitable without CSP protection," right?
> >
Agreed. Though ROP and finding "gadgets" has become somewhat of a science, that hardly means that DEP/NX hasn't provided a significant increase in the security of applications that opt-in to the protection.
The JSONP issue is one I've heard from multiple people, though, including CSP early adopters. Is it time to standardize a safer way to use JSONP? Perhaps independent of CSP, perhaps in concert with it and add a jsonp-src directive to allow its use without taking on all the attack surface other script content hosted at such a domain might afford? CORS offers an alternative, but there is a huge deployed base of JSONP APIs that aren't going anywhere.
I've seen the proposal at http://json-p.org/, but am thinking something more like:
jsonp.load(callbackName, uri);
It should be relatively simple to recognize a "safe" (named callback + JSON data only) response as an AST at that point, no?
-Brad